Headline
CVE-2023-40185: Provide explicit `$PATH` value to which by ericcornelissen · Pull Request #1142 · ericcornelissen/shescape
shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expected and used shell. This bug has been patched in version 1.7.4.
Relates to #1125, #1137, #1138
Summary
Update the implementation of resolveExecutable to accept the environment variables so that they can explicitly be provided to which. All internal code and tests have been updated accordingly, no external changes.
This is in an effort to fix a problem where environment variables aren’t always passed on correctly to subprocesses. For Shescape this means a forked process on Windows could fail to look up the executable.
Related news
### Impact This may impact users that use Shescape on Windows in a threaded context (e.g. using [Worker threads](https://nodejs.org/api/worker_threads.html)). The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the combination of expected and used shell. This snippet demonstrates a vulnerable use of Shescape: ```javascript // vulnerable.js import { exec } from "node:child_process"; import { Worker, isMainThread } from 'node:worker_threads'; import * as shescape from "shescape"; if (isMainThread) { // 1. Something like a worker thread must be used. The reason being that they // unexpectedly change environment variable names on Windows. new Worker("./vulnerable.js"); } else { // 2. Example configuration that's problematic. In this setup example the // expected default system shell is CMD. We configure the use of PowerShell. // Shescape will fail to look up PowerShell and default t...